// Copyright (c) 2016, Google Inc. // // Permission to use, copy, modify, and/or distribute this software for any // purpose with or without fee is hereby granted, provided that the above // copyright notice and this permission notice appear in all copies. // // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. package runner import ( "bytes" "crypto/aes" "crypto/cipher" "crypto/hmac" "crypto/sha256" "encoding/asn1" "errors" ) // TestShimTicketKey is the testing key assumed for the shim. var TestShimTicketKey = make([]byte, 48) func DecryptShimTicket(in []byte) ([]byte, error) { name := TestShimTicketKey[:16] macKey := TestShimTicketKey[16:32] encKey := TestShimTicketKey[32:48] h := hmac.New(sha256.New, macKey) block, err := aes.NewCipher(encKey) if err != nil { panic(err) } if len(in) < len(name)+block.BlockSize()+1+h.Size() { return nil, errors.New("tls: shim ticket too short") } // Check the key name. if !bytes.Equal(name, in[:len(name)]) { return nil, errors.New("tls: shim ticket name mismatch") } // Check the MAC at the end of the ticket. mac := in[len(in)-h.Size():] in = in[:len(in)-h.Size()] h.Write(in) if !hmac.Equal(mac, h.Sum(nil)) { return nil, errors.New("tls: shim ticket MAC mismatch") } // The MAC covers the key name, but the encryption does not. in = in[len(name):] // Decrypt in-place. iv := in[:block.BlockSize()] in = in[block.BlockSize():] if l := len(in); l == 0 || l%block.BlockSize() != 0 { return nil, errors.New("tls: ticket ciphertext not a multiple of the block size") } out := make([]byte, len(in)) cbc := cipher.NewCBCDecrypter(block, iv) cbc.CryptBlocks(out, in) // Remove the padding. pad := int(out[len(out)-1]) if pad == 0 || pad > block.BlockSize() || pad > len(in) { return nil, errors.New("tls: bad shim ticket CBC pad") } for i := 0; i < pad; i++ { if out[len(out)-1-i] != byte(pad) { return nil, errors.New("tls: bad shim ticket CBC pad") } } return out[:len(out)-pad], nil } func EncryptShimTicket(in []byte) []byte { name := TestShimTicketKey[:16] macKey := TestShimTicketKey[16:32] encKey := TestShimTicketKey[32:48] h := hmac.New(sha256.New, macKey) block, err := aes.NewCipher(encKey) if err != nil { panic(err) } // Use the zero IV for rewritten tickets. iv := make([]byte, block.BlockSize()) cbc := cipher.NewCBCEncrypter(block, iv) pad := block.BlockSize() - (len(in) % block.BlockSize()) out := make([]byte, 0, len(name)+len(iv)+len(in)+pad+h.Size()) out = append(out, name...) out = append(out, iv...) out = append(out, in...) for i := 0; i < pad; i++ { out = append(out, byte(pad)) } ciphertext := out[len(name)+len(iv):] cbc.CryptBlocks(ciphertext, ciphertext) h.Write(out) return h.Sum(out) } const asn1Constructed = 0x20 func parseDERElement(in []byte) (tag byte, body, rest []byte, ok bool) { rest = in if len(rest) < 1 { return } tag = rest[0] rest = rest[1:] if tag&0x1f == 0x1f { // Long-form tags not supported. return } if len(rest) < 1 { return } length := int(rest[0]) rest = rest[1:] if length > 0x7f { lengthLength := length & 0x7f length = 0 if lengthLength == 0 { // No indefinite-length encoding. return } // Decode long-form lengths. for lengthLength > 0 { if len(rest) < 1 || (length<<8)>>8 != length { return } if length == 0 && rest[0] == 0 { // Length not minimally-encoded. return } length <<= 8 length |= int(rest[0]) rest = rest[1:] lengthLength-- } if length < 0x80 { // Length not minimally-encoded. return } } if len(rest) < length { return } body = rest[:length] rest = rest[length:] ok = true return } func SetShimTicketVersion(in []byte, vers uint16) ([]byte, error) { plaintext, err := DecryptShimTicket(in) if err != nil { return nil, err } tag, session, _, ok := parseDERElement(plaintext) if !ok || tag != asn1.TagSequence|asn1Constructed { return nil, errors.New("tls: could not decode shim session") } // Skip the session version. tag, _, session, ok = parseDERElement(session) if !ok || tag != asn1.TagInteger { return nil, errors.New("tls: could not decode shim session") } // Next field is the protocol version. tag, version, _, ok := parseDERElement(session) if !ok || tag != asn1.TagInteger { return nil, errors.New("tls: could not decode shim session") } // This code assumes both old and new versions are encoded in two // bytes. This isn't quite right as INTEGERs are minimally-encoded, but // we do not need to support other caess for now. if len(version) != 2 || vers < 0x80 || vers >= 0x8000 { return nil, errors.New("tls: unsupported version in shim session") } version[0] = byte(vers >> 8) version[1] = byte(vers) return EncryptShimTicket(plaintext), nil } func SetShimTicketCipherSuite(in []byte, id uint16) ([]byte, error) { plaintext, err := DecryptShimTicket(in) if err != nil { return nil, err } tag, session, _, ok := parseDERElement(plaintext) if !ok || tag != asn1.TagSequence|asn1Constructed { return nil, errors.New("tls: could not decode shim session") } // Skip the session version. tag, _, session, ok = parseDERElement(session) if !ok || tag != asn1.TagInteger { return nil, errors.New("tls: could not decode shim session") } // Skip the protocol version. tag, _, session, ok = parseDERElement(session) if !ok || tag != asn1.TagInteger { return nil, errors.New("tls: could not decode shim session") } // Next field is the cipher suite. tag, cipherSuite, _, ok := parseDERElement(session) if !ok || tag != asn1.TagOctetString || len(cipherSuite) != 2 { return nil, errors.New("tls: could not decode shim session") } cipherSuite[0] = byte(id >> 8) cipherSuite[1] = byte(id) return EncryptShimTicket(plaintext), nil }